Incident Handler (DCO)

Location: Ft. Huachuca, AZ
Date Posted: 07-06-2018
Job Title:                    Incident Handler (DCO)
Job Location:             Fort Huachuca, AZ
Salary:                        Competitive, Depends on Qualifications
Clearance:                  Current DoD Top Secret/SCI
Travel:                        Up to 25% CONUS
The purpose of this task is to provide all personnel, equipment, supplies, facilities, transportation, tools, materials, supervision, and other items and non-personal services necessary to support the RCC-C
The Incident Handler (DCO) monitors DCO tools for signs of potential or confirmed security incidents and executes the appropriate incident response actions including elevation of analysis to forensic/threat analysts or notification of law enforcement or CI agencies.
  • Provide Tactical DCO integration support to United States Forces Command (FORSCOM) units by integrating tactical network sensor events and signature analysis into the Regional Cyber Center DCO processes.
  • Provide analysis and signature development assistance to ensure tactical unit is able to detect, identify, and respond to threats on the network.
  • Ensure Tactical data feeds are ingested into the Regional Cyber Center SIEM, and that unit data is sent down to the tactical edge.
  • Provide Incident Response and analysis on detected or reported malicious events. Analyze on an average 6 to 10 daily cyber threat reports and recommend internal defense measure for the theater.
  • Develop, test, and distribute threat sensors baseline signatures. Update baselines as necessary, validated for proper syntax and minimizing false positives.
  • Review, activate, modify, or deactivate on average 1300 sensor grid signatures monthly.
  • Conduct all development and testing on isolated networks.
  • Document and conduct test plan with procedures, results, operational procedures, and maintenance plan annually or as signatures are developed or updated.
  • Report incidents to law enforcement and counterintelligence agencies.
  • Maintain an up-to- date Point of Contact (POC) list for Law enforcement and Counterintelligence (LE and CI) agencies as routinely provided by Computer Crimes Investigative Unit (CCIU) and Cyber Counter Intelligence agencies.
  • Ensure all initial incident investigations reports are provided to LE and CI.
  • In cases where an active investigation will be opened, analysts will coordinate subject matter expertise and provide assistance to LE and CI per Army Regulation AR 25-2, Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510, and local incident handling procedures. LE and CI agencies will provide written request in accordance with local TTP that will include as a minimum the official case number and include specific data logs and information required.
  • Expertise and support to be provided consists of providing required data along with a summary or analysis of the data.
  • Data and answers provided in the analysis shall pertain specifically to requirements in the LE and CI official request or within DCO-D TTPs. (i.e. do not provide data or answers to anything not specifically requested by LE and CI).
  • Cyberspace Incident Response: Based on guidance provided by DCO-D (and/or ARCYBER) leadership, Develop, staff, coordinate and execute Incident Response investigations for the operational environment (unclassified and classified).
  • Investigations shall address each pre-determined category of incident (IAW CJCSM 6510) detected (internally or externally reported); Address priorities and types of internal defensive measures and potential mitigation strategies to be employed (acceptable level of risk); include applicable aspects of the most current Cybersecurity Services Evaluator Scoring Matrix.
  • The average number of incident response investigation opened on a monthly basis is 800 to 1,000.
  • Incident Response and Coordination: Identify and maintain visibility of all potential or confirmed incidents/security issues IAW ARCYBER policies and procedures.
  • Respond to ARCYBER inquiries on incident status or issues as appropriate or as requested by the TM.
  • Conduct Quality control of incidents to maintain compliance with CJCSM 6510.
  • Provide and coordinate incident trend analyses IOT identify systemic or potential issues on reported and confirmed incidents.
  • Provide and brief incidents details IAW policies and procedures.
  • Coordinate and synchronize Incident Handling (IH) actions or incidents with LE and CI per TTP.
  • Pull any necessary data to determine scope of reported incidents.
  • Ensure all investigation reports are auto-forwarded to ACID with the most current action visible to ARCYBER Incident Handling Portal.
  • Incident Analysis: Capture and perform initial analysis on captured volatile data, log data, captured network traffic data, etc. to identify any immediate intrusion related artifacts which in turn will allow immediate defensive countermeasures to be implemented.
  • Develop necessary procedures or scripts to identify such data. Immediately upon capture of volatile data and/or power down of each individual system, in conjunction with ACOIC|FMA|RCC request, coordinate the shipment of original forensic evidence (hard drive, USB drive, etc.) to ACOIC G33 DCO FMA for initial forensic imaging.
  • Individual files identified or suspected of being malicious will be sent by e-mail in one of several formats to the G33 DCO FMA distribution list, who will in turn analyze the files by automated malicious code analysis and/or by static analysis/dynamic analysis/reverse engineering performed by G33 DCO FMA malware analysts.
  • Works and interacts with other DCO professionals internal and external to Army Cyber Command, with Law Enforcement and Counter Intelligence LNO's, and intelligence professionals as a technical specialist to understand higher-level adversary capability.
  • Document, update and enhance processes and procedures by producing training materials, standards documents and reports.
  • Employees will possess exceptional knowledge, experience, and certifications with commercial computer incident triage tools including but not limited to: CCIU LogCollector, EnCase Enterprise / Cybersecurity, AccessData eDiscovery, Mandiant Redline, Tanium, etc.
  • Employees will have strong working knowledge and experience with all Windows OS platforms including but not limited to: Windows 7/8/10, Server 2K3/2K8/2012/2016, etc.
  • Employees will have working knowledge and experience with varying flavors of Unix/Linux platforms, and Apple based operating systems.
  • Bachelor’s degree in Computer Science, Cyber Security, Information Security or related field.                                                                                     
Required Certifications:
  • GIAC Certified Incident Handler (GCIH)
  • IAT Level II (CCNA Security, GICSP, GSEC, Security+ CE, etc.)
Required Skills/Qualifications:
  • Eight (8)  years of Information technology experience,
  • Required training: GCIH, CASP CE, CISSP
About the company:
As a Service Disabled, Veteran Owned Small Business (SDVOSB) we are a provider of Information Technology (IT) professional services, software solutions and professional development training. Our core competencies evolved from leveraging IT enablers for knowledge management with an emphasis on Web Based Knowledge Portals and Portal Services, Server/System Services, SharePoint Development and System Administration and SQL Server Services. Our capabilities have expanded to include software development, technical training support and field support services.
Guiding Principles
•         Satisfy the customer - "Exceed expectations"
•         Set the Example - "Be out front"
•         Be Responsive - "Timing is everything"
•         Persevere - "Find a way"
PTP offers a comprehensive benefits program:
•         Medical insurance
•         Dental insurance
•         Vision insurance
•         Supplemental benefits (Short Term Disability, Cancer & Accident).
•         Employer-sponsored Basic Life & AD&D Insurance
•         Employer-sponsored Long Term Disability
•         401(k)
Holidays and Annual Leave
•         10 Paid Holidays
•         120 hours PTO accrual

this job portal is powered by CATS